When deploying Capture Client to a complex environment (for example: diverse device profiles, multiple servers, devices spread across multiple networks, and so forth.) you should first run a pilot exercise with a limited, but typical, set of endpoints. This can help you identify what kinds of custom conditions you may need to plan for in your environment. You may need to set up custom whitelists and blacklists, as well as custom policies.
When running the pilot, the client application should be initially deployed in Detect mode to the chosen endpoints. The chosen endpoints should represent the various types of devices in your environment. The pilot set should also be small enough to easily manage if any issues arise. By deploying in Detect mode, the client can be run and monitored without any impact to business productivity and can also run side-by-side with existing endpoint security products to allow a smooth transition.
Learn about Threat Protection Policies in the Capture Client Protecting Assets with Security Policies to understand how to set up an agent in Detect mode.
Depending on the number of pilot endpoints, the pilot exercise should be run for two to four weeks to allow coverage of all types of real-time scenarios. During the pilot, review the threat events generated and validate any issues that may arise. Key issues that you can typically expect are:
Conflict with known good business applications
Some business applications may trigger false positives due to the nature of their activity while others may conflict with the Capture Client due to the nature of their application architecture. Review knowledge base article, Capture Client Inter-Operability With Third Party Applications, for a list of known applications with interoperability challenges. Create exclusions for applications that you see in your environment that may create issues.
Also, leverage the threat events to identify such conflicts and determine how you want to manage them. Review Capture Client Protecting Assets with Security Policies to learn how to create Exclusions and review Capture Client Monitoring with Dashboards, Threats and Applications to learn how to review threat events and the actions to take.
Aggressive threat mitigation policies
The default policy calls for auto-remediation of identified threats as the best practice. However, for certain users or devices, you may not want automatic remediation on all threats. You may only want to generate alerts for them. Review Capture Client Protecting Assets with Security Policies for mitigation modes in Threat Protection policies and how to configure them, as well how to create groups with customized policies.
Certain websites are not filtered
The default web-content filtering policy associated with the default Capture Client policy restricts access only to websites belonging to categories: Hacking and Malware. See Capture Client Protecting Assets with Security Policies to configure web content filtering policies that allow or block access to websites of various categories. The association of web content filtering policy with Capture Client policy allows endpoint security and content filtering to be managed from the same management console, simplifying administration. The feature also includes web-activity reporting for easier monitoring.
Failure to see encrypted traffic on SonicWall firewalls
You may see some cases where the DPI-SSL certificates get pushed to the endpoints to enforce DPI-SSL inspection on SonicWall firewalls. Ensure that the policy is setup correctly to not only push it to the native operating system certificate store, but make sure it is also setup to enforce it for Firefox users. You can choose to either push the certificate to the Firefox certificate store or to force Firefox to use the native operating system store. Review Capture Client Protecting Assets with Security Policies to see how to configure Trusted Certificate policies with DPI SSL certificates for deployment to clients.